Ransomware attacks emerge from the shadows

More “ransomware” attacks can be expected along the lines of the incident reported last week, when a Los Angeles hospital agreed to pay the equivalent of $17,000 in bitcoins to regain control of its computer systems.

Experts say developing information technology systems with isolated components, which would make entry into entire systems more difficult, and a robust backup system, are among the techniques available to prevent or deal with such attacks.

Insurance coverage, through sublimits in cyber policies and in kidnap and ransom policies, is also available, these experts say.

Allen Stefanek, president and CEO of Hollywood Presbyterian Medical Center, a private 434-bed facility, said in a statement last week that the hospital staff noticed problems accessing its computer network Feb. 5 and that an investigation by its IT department determined it had suffered a malware attack.

“The malware locked access to certain computer systems and prevented us from sharing communications electronically,” said the statement.

According to news reports, doctors at the hospital were forced to use telephones and fax machines to relay patient information, and communications between physicians and staff were bogged down by paper records and difficulty deciphering doctors' handwriting. There were also reports of ambulances being diverted from the hospital.

The hospital received a ransom demand of 40 bitcoins, the equivalent of about $17,000, to obtain the decryption key to unlock the system, and it paid the ransom.

“The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key. In the best interest of restoring normal operations, we did this,” said Mr. Stefanek's statement. He said the hospital had restored its electronic medical records system by Feb. 15.

“Patient care has not been compromised in any way. Further, we have no evidence at this time that any patient or employee information was subject to unauthorized access,” said the statement.

A hospital spokeswoman had no further comment.

Underappreciated risk emerges

The incident “is evidence of a risk that is significant to all companies, but is not well-enough appreciated,” said Linda D. Kornfeld, a partner at Kasowitz Benson Torres & Friedman L.L.P. in Los Angeles.

”A number of executives nationwide, I think, are looking at this and appreciating that there is an issue there, and it's something that needs to be seriously considered from multiple aspects, including the insurance coverage aspect,” Ms. Kornfeld said.

Ms. Kornfeld said ransomware is a significant risk, “and I would presume that it's just going to be an ever-growing risk given the creativity of the cyber criminal.”

Katherine Keefe, Philadelphia-based global head of Beazley P.L.C.'s breach response services unit, said data on the frequency of such incidents is difficult to obtain. Because they do not necessarily involve a situation where personally identifiable information is accessed, there are no notification requirements, which means these incidents may not be made public.

“It's just going on sub-rosa,” she said. But “it's clearly turned into a business model for some criminals, and clearly they're having some amount of success in extracting ransom payments.”

“Everyone talks about training your employees,” but “it's very difficult to stop,” he said of workers responding to phishing. Health care entities in particular operate on relatively thin margins, which means they have limited resources to invest in their cyber security systems, Mr. Beeson said.

The type of malware used in the attack has been around since 2005 but has mutated over the past 10 years “to be much more stealthy,” said Norman Comstock, a cyber security consultant and managing director of Berkeley Research Group Inc. L.L.C. in Houston.

“The premise is being considered by criminal groups that realize this is an efficient way to potentially hit payday,” he said.

Mr. Comstock said the incident raises questions about the effectiveness of the hospital's intrusion detection system. In addition, entities should have computer systems that have segregated elements rather than a “flat network,” he said, to prevent a hacker from immediately gaining access to the entire system.

Entities should have a “robust disaster recovery program, whereby the critical infrastructure is protected as best as possible and can be brought back on line in the form of a backup as quickly as possible,” said Ms. Keefe.

“It's the organization that can't do that quickly or efficiently that ends up in a situation where paying a ransom is the only available option,” she said.

In addition, multiple insurers offer the coverage for ransomware through a sublimit to their cyber risk policies, experts say.

“If we start to see even more frequency of these attacks, I wonder whether the insurers will start to charge more for this element of their cyber insurance policy,” Mr. Beeson said.

Policyholders may also be able to obtain coverage through an endorsement to their kidnap and ransom coverage, say experts.